What Gail is saying is that someone who is sysadmin on another instance could take the backup and the cert and restore it elsewhere and as they are sysadmin will automatically have database permission to open the encryption key.

They do still of course need to know the password that the cert backup was encrypted with, and be able to access the disk location where it's stored.

There are many factors, but essentially the weaker your security around the stored backups the more possible it becomes.